Aave DIVA Wrapper

DIVA

HardhatDeFi

15,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

Potential DOS due to Gas Exhaustion Due to Large Array Iteration

Zealynx

Description

The AaveDIVAWrapper contract implements several batch functions that allow users to perform multiple operations in a single transaction. The following batch functions lack array length validation and are accessible by any user:

function batchCreateContingentPool(PoolParams[] calldata _poolParams)

function batchAddLiquidity(AddLiquidityArgs[] calldata _addLiquidityArgs)

function batchRemoveLiquidity(RemoveLiquidityArgs[] calldata _removeLiquidityArgs)

function batchRedeemPositionToken(RedeemPositionTokenArgs[] calldata _redeemPositionTokenArgs)

function batchRedeemWToken(RedeemWTokenArgs[] calldata _redeemWTokenArgs)

Each of these functions iterates through user-provided arrays without any maximum length check. For each iteration:

batchCreateContingentPool: Creates a new pool and mints position tokens
batchAddLiquidity: Transfers tokens, supplies to Aave, and mints wTokens
batchRemoveLiquidity: Burns tokens and processes withdrawals
batchRedeemPositionToken: Processes token transfers and redemptions
batchRedeemWToken: Processes wToken burns and withdrawals

Each operation in these loops involves significant gas costs due to storage operations, external calls, and token transfers.

Impact

The lack of array length validation can lead to gas exhaustion and denial of service:

Transaction Failure:
- A malicious user can call these functions with arrays large enough to exceed the block gas limit
- The transaction will revert, making the batch functions unusable
- Users will waste gas on failed transactions
Protocol Disruption:
- Legitimate users cannot use batch functions for large operations
- Forces users to split operations into multiple transactions, increasing costs
- May block critical protocol operations during high activity periods

Mitigation

Add a maximum array length validation to all affected batch functions.

// Add constant at contract level

uint256 private constant MAX_BATCH_SIZE = 50; // Adjust based on gas analysis

Updates

Lead Judging Commences

bube Lead Judge 5 months ago

Submission Judgement Published

Invalidated

Reason: Known issue

Prize pool breakdown

Total prize

15,000 USDC

nSLOC

519

29 USDC / LOC

High Medium

14,000

Low

1,000

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.